The Ultimate Guide to VPN Port Forwarding

Many (but not all) VPN services use a NAT firewall to help protect customers from malicious incoming connections. This great, but it can also block incoming connections that you want or need.

If a VPN offers port forwarding it can reroute incoming connections so that they bypass its NAT firewall. This allows you or others to access resources that would otherwise be blocked by the VPN server.

VPN port forwarding is very useful for:

Improving torrent speeds

Allowing remote access to your PC while away from home

Accessing a personal games or media server set up on your LAN

Port forwarding and torrenting

Incoming connections allow other torrent users to connect to your BitTorrent client and download files. In other words, they allow you to seed. And the more you seed, the faster your downloads will tend to be.

Seeding is also considered good netiquette, because without seeding nobody would be able to download anything! Torrenting is, after all, also called file-sharing for a reason!

A NAT firewall prevents others from initiating unsolicited new connections, although once a connection is established incoming connections are permitted.

When another BitTorrent user wishes to download a file (or piece of a file) that you have, it will try to initiate a connection with your BitTorrent client. If this is not possible thanks to a NAT firewall, it will alert your software that it wants to connect. Your BitTorrent client then initiates the connection, thereby bypassing the NAT firewall.

If the other downloader is not also behind a download a NAT firewall, then no problem. You can seed to them. When both parties are behind a NAT firewall, however, this is not possible as neither party can initiate a connection!

This makes the P2P process much less efficient for all users, and if the only people holding the file/file pieces that you want are also behind a NAT firewall, then tough cheese. As more people use VPNs to protect themselves while downloading, this problem is only likely to get worse.

Not required

Port forwarding solves the problem, but it should be stressed that it is not required for downloading. As long as not everyone else sharing the same torrent is also behind a NAT firewall, you may not even notice the difference to your download speeds. You can also seed to them.

Because the benefits of port forwarding are often largely theoretical (especially for more casual torrent users), even many torrent-friendly VPN services do not feel it is a feature worth offering.

Here we are downloading a file in qBitTorrent when connected to a VPN, but without port forwarding enabled. As we can see, download speeds are actually quite good despite upload speeds being very limited (but seeding nonetheless).

Port forwarding and eMule

Even more than with BitTorrent, eMule requires that you have open UDP and TCP ports that are available from the internet to work at its best. If open ports are not accessible from the internet, this results in what is termed low ID.

You can still share files with low ID, but downloads we will much slower than if you have high ID. Port forwarding is therefore particularly important for eMule users.

One major catch, however, is that eMule does not play ball very well with modern firewalls. Thanks to UPnP it can usually automatically configure to work with local firewalls such as Windows Defender and router-level NAT firewalls, but this does not work when also remote port forwarding through a VPN’s NAT firewall.

Unfortunately, the only recourse, if you want to use port forwarding to achieve high ID in eMule, is to disable your Windows firewall. Needless to say, this is not ideal.

Is VPN port forwarding safe?

Open ports

In theory, any open port on your computer provides a way in for hackers. In practice, only programs that are actively listening on open ports are vulnerable.

So even if a hacker can somehow compromise your BitTorrent client, there is very little malicious they can actually do with it! If you have opened a port to allow remote access of your PC, on the other hand, a hacker could do a lot more damage. Even then, though, the remote software would need to have a known security vulnerability that the hacker could exploit.

An open port is an open port, and port forwarding through a VPN NAT firewall still leaves a port open. So not port forwarding through the VPN is safer than port forwarding, but port forwarding it is still pretty darn safe.

It is also worth noting that if you port forward through a VPN service your connection remains securely encrypted by the VPN.

Port Fail

In 2015 Perfect Privacy published a security warning over VPN port forwarding, which it dubbed “Port Fail.” Despite the fact that network professionals have been aware of the issue since at least 2002, this “news” received a great deal of attention in the press.

Port Fail uses a fairly simple combination of time correlation and social engineering to expose the real IP address of other VPN users. The victim does not need to use port forwarding; it is the attacker who uses it.

This attack, however, is very easy to prevent. All a provider needs to do is setup different incoming and exiting IP addresses on its servers. What is a little surprising is that five of the nine port forwarding VPNs that Perfect Privacy tested had not implemented this basic security procedure!

Three of the providers fixed the flaw before Perfect Privacy published its warning, including Private Internet Access. The others appear never to have been named, and of course, many other providers were not tested.

Three years after the public furor over the issue, we certainly hope no VPN providers are continuing to make the same elementary mistake!

Static vs Dynamic VPN port forwarding

Some VPN services allow you to open a static port that does not change. Others will dynamically assign you a new port each time you make a new connection to one of their VPN servers. In practice, even dynamically assigned IPs often stay the same over long periods of time. But they can change, and when they do, users are often not aware of it.

Static port forwarding is usually more convenient for customers, as you do not need to regularly change the port settings in your software. Just to complicate the issue, though, some providers allow you to specify a static port but will then reset it at regular intervals!

Dynamic port forwarding, on the other hand, is automatically configured using UPnP which makes it easier for them to implement. Again, the issue is complicated by the fact that some VPN services will reserve dynamically assigned IPs for as long as you continue to use them regularly.

Dynamic port forwarding is more common than static port forwarding.

How to Port Forward Through a VPN NAT Firewall for Torrenting

If your VPN does not use a NAT firewall then there is no need for remote port forwarding, anyway. If it does use a NAT firewall, then you can only port forward through it the VPN provider offers port forwarding as a feature.

Providers who support port forwarding will provide specific instructions on how to enable it for their service. Usually, it goes something like this…

1. Enable VPN port forwarding. This is usually done in the user area of the VPN’s web interface but is sometimes done in the VPN client software. Some VPN services only allow port forwarding on specified servers.

AirVPN (above) allows you to manually specify up to 20 static ports to open using its web portal.

Mullvad lets you setup port forwarding using either its web interface or desktop client. Unlike AirVPN, open ports are randomly assigned although it is not clear if they are dynamically allocated or static.

2. Change the listening port used for incoming connections to a port number you chose or were assigned in step 1.

3. Disable UPnP and/or NAT-PMP in the BitTorrent client. UPnP and/or NAT-PMP can be useful for bypassing local firewalls but are not useful for bypassing remote NAT firewalls. Worse, if enabled they may try to route connections through your router rather through the VPN interface. This may result in your real IP address being exposed even when using a VPN.

And here they are in Vuze. Pretty much every BitTorrent client will have similar settings in their options menus.

4. With the torrent client running, visit CanYouSeeMe.org and enter the port number you have (hopefully) opened. Remember that an open port will only be detected if you have a program that is actively listening on that port.

All being well, you will see a message saying “Success.” Yay!

Other issues

Note that even with port forwarding successfully enabled, you may still see a yellow icon (or similar) indicating that upload connections are not optimized. This is not a major problem, and you can simply ignore it.

You can also try manually port forwarding through your router’s NAT firewall, which requires setting up a static IP. See here for instructions on how to setup a static IP and port forward on almost every router on the market.

How to Port Forward Through a VPN NAT Firewall for eMule

1. Enable VPN port forwarding as in Step 1 for torrenting above.

2. Open eMule and go to Options -> Connection -> Client Port. Make sure that “Use UPnP to Setup Ports” is not enabled.

4. Return to the eMule connection panel (step 1) and click “Test Ports". A web page will open which tests to see if ports used by eMule can be reached from the web.

Hopefully, you will see something like the above!

Conclusion

If you need to access a personal server or other LAN resources behind a VPN connection then you need to setup port forwarding. If you are just file sharing, you don’t - but it can improve performance (especially for eMule).

For more casual torrenters, the debatable benefits of port forwarding may not worth the hassle of setting it up. Serious torrent-heads, however, will appreciate the performance gains and the fact that it benefits everyone using the BitTorrent network.

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

0x274832 VPN Junky

Corresponding to "VPN Port Fail Attack" only the attacker needs Portforwarding! This is not client related! You can forward as many ports as you wish without leaking your real IP-Address. Port Fail catches you even if you do not port forward a single port nor allow no incoming traffic! Solution for Client side: Example your default Gateway is 192.168.0.1 and its on Device eth0. 1st Block ALL (INCOMING AND OUTGOING) Traffic on "eth0"! 2nd Add allow outgoing traffic for DNS to 9.9.9.9 and UDP Port 53 over "eth0" 3rd Add allow single IP Address to your VPN Provider over "eth0" so this rule Set blocks any other outgoing traffic over your default Gateway! Even if someone request you to connect over your defaul route, this will block ALL traffic except the direct connection to the VPN Gateway. The Attacker can not listen on IP Address of VPN Server and UDP 1194 at the same time!!! This is how I block anyone from reroouting my traffic over eth0!!!